From 4b8a64b70c036d81b74ae5950f94660177fab912 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 14 Apr 2015 17:24:30 -0700 Subject: [PATCH 1/3] Build shim into the image grub requires that shim be available in order to call out to verify the kernel. Sign it and stick it in the image alongside grub. --- build_library/grub_install.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index b3448508d1..0eb4fc1f59 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -147,7 +147,11 @@ case "${FLAGS_target}" in --cert /usr/share/sb_keys/DB.crt \ "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \ - "${ESP_DIR}/EFI/boot/bootx64.efi" + "${ESP_DIR}/EFI/boot/grub.efi" + sudo sbsign --key /usr/share/sb_keys/DB.key \ + --cert /usr/share/sb_keys/DB.crt \ + --output "${ESP_DIR}/EFI/boot/bootx64.efi" \ + "/usr/lib/shim/shim.efi" else sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ "${ESP_DIR}/EFI/boot/bootx64.efi" From 07e5220f601292c9982b2953592685a1dee8531c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 16 Apr 2015 15:55:02 -0700 Subject: [PATCH 2/3] Add the kernels to the ESP Once we're signing the root filesystem, we're not going to be able to boot the kernel from there. Copy the kernel out to the EFI System Partition and sign it. --- build_library/build_image_util.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 733eb209ae..ff03d929d7 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -258,6 +258,11 @@ finish_image() { local disk_img="${BUILD_DIR}/${image_name}" + sudo mkdir -p "${root_fs_dir}/boot/coreos" + sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \ + "${root_fs_dir}/boot/coreos/vmlinuz-a" + sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \ + "${root_fs_dir}/boot/coreos/vmlinuz-b" # Record directories installed to the state partition. # Explicitly ignore entries covered by existing configs. local tmp_ignore=$(awk '/^[dDfFL]/ {print "--ignore=" $2}' \ @@ -293,6 +298,19 @@ finish_image() { sudo fstrim "${root_fs_dir}/usr" || true fi + # Sign the kernels after /usr is in a consistent state + if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + sudo sbsign --key /usr/share/sb_keys/DB.key \ + --cert /usr/share/sb_keys/DB.crt \ + "${root_fs_dir}/boot/coreos/vmlinuz-a" + sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-a.signed" \ + "${root_fs_dir}/boot/coreos/vmlinuz-a" + sudo sbsign --key /usr/share/sb_keys/DB.key \ + --cert /usr/share/sb_keys/DB.crt \ + "${root_fs_dir}/boot/coreos/vmlinuz-b" + sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-b.signed" \ + "${root_fs_dir}/boot/coreos/vmlinuz-b" + fi rm -rf "${BUILD_DIR}"/configroot cleanup_mounts "${root_fs_dir}" trap - EXIT From 9579f4d68a6f8ec01c68071977d3350628ce7722 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 16 Apr 2015 15:56:03 -0700 Subject: [PATCH 3/3] Update grub configuration to handle ESP kernels, build it into grub The grub configuration needs some updates to handle dealing with booting the kernel from the ESP rather than from inside the image. We also want to be able to avoid dealing with signing the config file, so build it into the binary. Finally, rather than having to cope with signing grub modules, build the ones we need to boot into the grub image. --- build_library/grub.cfg | 47 ++++++++++++++++------------------- build_library/grub_install.sh | 22 ++++++++-------- 2 files changed, 33 insertions(+), 36 deletions(-) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index 7f5cb12869..3fb53d86ab 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -1,5 +1,8 @@ # Main GRUB config +# Set the prefix back to the correct value after we're done with memdisk +set prefix=($root)/coreos/grub + # Load any and all video drivers. # Required under UEFI to boot Linux with a working console. insmod all_video @@ -37,38 +40,30 @@ if [ -z "$linux_console" ]; then fi fi - -# Load a kernel and boot! $root must point at USR-A or USR-B -function load_coreos { - # UEFI uses linuxefi/initrdefi instead of linux/initrd - if [ "$grub_platform" = efi ]; then - set suf="efi" - else - set suf="" - fi - - echo "Loading ($root)/boot/vmlinuz" - linux$suf /boot/vmlinuz $linux_console $linux_root "$@" $linux_append - - if [ -f /boot/initrd ]; then - echo "Loading ($root)/boot/initrd" - initrd$suf /boot/initrd - fi - - echo "Booting CoreOS!" -} +# UEFI uses linuxefi/initrdefi instead of linux/initrd +if [ "$grub_platform" = efi ]; then + set suf="efi" +else + set suf="" +fi menuentry "CoreOS default" --id=coreos { - gptprio.next -d root -u usr_uuid - load_coreos mount.usr=PARTUUID=$usr_uuid + gptprio.next -d usr -u usr_uuid + if [ "$usr_uuid" = "7130c94a-213a-4e5a-8e26-6cce9662f132" ]; then + linux$suf /coreos/vmlinuz-a $linux_console $linux_root \ + mount.usr=PARTUUID=$usr_uuid $linux_append + else + linux$suf /coreos/vmlinuz-b $linux_console $linux_root \ + mount.usr=PARTUUID=$usr_uuid $linux_append + fi } menuentry "CoreOS USR-A" --id=coreos-a { - search --no-floppy --set root --part-label USR-A --hint "$root" - load_coreos mount.usr=PARTLABEL=USR-A + linux$suf /coreos/vmlinuz-a $linux_console $linux_root \ + mount.usr=PARTLABEL=USR-A $linux_append } menuentry "CoreOS USR-B" --id=coreos-b { - search --no-floppy --set root --part-label USR-B --hint "$root" - load_coreos mount.usr=PARTLABEL=USR-B + linux$suf /coreos/vmlinuz-b $linux_console $linux_root \ + mount.usr=PARTLABEL=USR-B $linux_append } diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 0eb4fc1f59..844f3c6170 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -29,18 +29,19 @@ switch_to_strict_mode # Our GRUB lives under coreos/grub so new pygrub versions cannot find grub.cfg GRUB_DIR="coreos/grub/${FLAGS_target}" -# Modules required to find and read everything else from ESP -CORE_MODULES=( fat part_gpt search_fs_uuid gzio ) +# Modules required to boot a standard CoreOS configuration +CORE_MODULES=( normal search test fat part_gpt search_fs_uuid gzio search_part_label terminal gptprio configfile memdisk tar echo ) # Name of the core image, depends on target CORE_NAME= case "${FLAGS_target}" in i386-pc) - CORE_MODULES+=( biosdisk ) + CORE_MODULES+=( biosdisk serial ) CORE_NAME="core.img" ;; x86_64-efi) + CORE_MODULES+=( serial linuxefi efi_gop ) CORE_NAME="core.efi" ;; x86_64-xen) @@ -111,25 +112,26 @@ info "Generating ${GRUB_DIR}/load.cfg" ESP_FSID=$(sudo grub-probe -t fs_uuid -d "${LOOP_DEV}p1") sudo_clobber "${ESP_DIR}/${GRUB_DIR}/load.cfg" <